4 Must-Know Ways to Comply with NSCC’s Cybersecurity Confirmation
Most organizations have a plan for cybersecurity, but the 3,000+ firms involved in banking, securities brokerage and insurance need more than a plan. These firms are required to confirm the existence and soundness of their cybersecurity programs.
In December 2019, the U.S. Securities and Exchange Commission approved a rule change that applies to three groups: 1.) members of the National Securities Clearing Corporation (NSCC), 2.) entities applying for NSCC membership and 3.) firms that provide trade data to the NSCC. The rule change resulted in a compliance requirement to complete a two-page Cybersecurity Confirmation.
Depending on the state of your firm’s cybersecurity program, the compliance challenge may be simple and easy to complete, or it can be complex and hard. Here are four must-know ways for compliance with SEC’s new rule and its objective: reasonable cybersecurity.
- Compliance with other cybersecurity regulations improve effectiveness
The New York State Department of Financial Services (NYDFS) cybersecurity regulation is the gold standard for meeting the Cybersecurity Confirmation objective to align with an industry-recognized framework. If your entity already complies with NYDFS, filling out the confirmation is a mere formality.
Using industry-standard, risk-based frameworks, including NIST Cybersecurity Framework, FFIEC Cybersecurity Assessment Tool and ISO 27001, put your entity in an excellent position for complying with NSCC’s Cybersecurity Confirmation rule. The principles and standards in these frameworks and tools indicate a sound cybersecurity program. It’s also a good idea to assess your firm’s cybersecurity program to look for overlaps and gaps.
- A senior executive must sign the cybersecurity confirmation
Increasingly, regulators are holding senior management personally responsible for disclosures, rules and compliance like the UK’s Senior Manager and Certification Regime that codifies individual accountability. The NSCC rule continues this trend.
On the Cybersecurity Confirmation, a senior executive must sign, attesting to the information provided and on behalf of the company. Getting the signature of the executive could become a harder request for your compliance team. By assessing and doing due diligence on all aspects of the cybersecurity program, you can speak more confidently about the data provided and secure the signature.
- Acceptable methodology must be used to review cybersecurity programs
The cybersecurity confirmation calls for a comprehensive review of your cybersecurity program and framework to be conducted by one of the following:
- Certification of compliance with NYDFS
- A regulator assesses the program against a designated cybersecurity framework or industry standard like the Office of the Comptroller (OCC)
- An independent external entity with cybersecurity domain expertise (SOC2 certification, ISO 27001 certification, NIST CST assessment)
- An independent internal audit function reporting directly to the board
Just check the box for the option you select above. Could it be that easy? It is if your program is certified by the NYDFS. The other options take legwork and thoroughness. It’s a reminder that the cybersecurity confirmation isn’t a form you fill out in an afternoon. Use it more as a roadmap and a journey. Take time to complete and involve other departments and individuals.
- Evaluate the impact of cyber risk from third parties
Organizations that outsource their NSCC relationship are responsible for having a program to evaluate the risk from using third parties.
The point is, you can’t truly outsource the cybersecurity program. It’s more like GDPR, where businesses and their partners are both responsible for protecting user data. Take steps to implement defined processes for evaluating risks from using a third party and document whenever you review third-party assurance reports. Protecting the company from cyber risk with a third party includes reputation risk. That means dotting i’s and crossing t’s every step of the way.
A sign of things to come
NSCC’s new requirement, Cybersecurity Confirmation, is the latest of the coming regulations and standards around cybersecurity, especially in the financial industry.
Financial services should see cybersecurity as their fiduciary duty. This is especially true for NSCC members, given NSCC is designated a Systemically Important Financial Market Utility (SIFMU). It means government agencies believe a cyberattack could increase the risk of liquidity problems spreading among financial institutions and markets, thus threatening the stability of the U.S financial system.
The bottom line is, the financial industry can expect a rollout of financial regulations like those of the NSCC to be part of a growing trend. A few steps in the right direction can put a company on a path for compliance with the requirements that are yet to come.
Learn more about Lockpath by NAVEX Global for regulatory compliance and cybersecurity.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.
In many ways, global supply chains are in the crosshairs of the global pandemic. We share three strategies you can pursue now to be ready for when business starts to recover.